Security and Privacy Controls for ... - Thales eSecurity...completion of such companion...

NIST Special Publication 800-53 Revision 4

Security and Privacy Controls for Federal Information Systems

and Organizations

JOINT TASK FORCE TRANSFORMATION INITIATIVE

This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53r4

http://dx.doi.org/10.6028/NIST.SP.800-53r4

NIST Special Publication 800-53 Revision 4

Security and Privacy Controls for Federal Information Systems

and Organizations

JOINT TASK FORCE

TRANSFORMATION INITIATIVE


April 2013 INCLUDES UPDATES AS OF 01-22-2015

U.S. Department of Commerce Rebecca M. Blank, Acting Secretary

National Institute of Standards and Technology

Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director

http://dx.doi.org/10.6028/NIST.SP.800-53r4

Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations ________________________________________________________________________________________________

Authority

This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources.

Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

National Institute of Standards and Technology Special Publication 800-53, Revision 4 462 pages (April 2013)

CODEN: NSPUE2


Comments on this publication may be submitted to:

National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Electronic Mail: [email protected]

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of these new publications by NIST.

Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at http://csrc.nist.gov/publications.

PAGE ii

http://dx.doi.org/10.6028/NIST.SP.800-53r4mailto:[email protected]://csrc.nist.gov/publications


Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

Abstract

This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and security assurance ensures that information technology products and the information systems built from those products using sound systems and security engineering principles are sufficiently trustworthy.

Keywords

Assurance; computer security; FIPS Publication 199; FIPS Publication 200, FISMA; Privacy Act; Risk Management Framework; security controls; security requirements.

PAGE iii


Acknowledgements

This publication was developed by the Joint Task Force Transformation Initiative Interagency Working Group with representatives from the Civil, Defense, and Intelligence Communities in an ongoing effort to produce a unified information security framework for the federal government. The National Institute of Standards and Technology wishes to acknowledge and thank the senior leaders from the Departments of Commerce and Defense, the Office of the Director of National Intelligence, the Committee on National Security Systems, and the members of the interagency technical working group whose dedicated efforts contributed significantly to the publication. The senior leaders, interagency working group members, and their organizational affiliations include:

Department of Defense Office of the Director of National Intelligence Teresa M. Takai Adolpho Tarasiuk Jr. DoD Chief Information Officer Assistant DNI and Intelligence Community Chief Information Officer

Robert J. Carey Charlene Leubecker Principal Deputy DoD Chief Information Officer Deputy Intelligence Community Chief

Information Officer

Richard Hale Catherine A. Henson Deputy Chief Information Officer for Cybersecurity Director, Data Management

Dominic Cussatt Greg Hall Deputy Director, Cybersecurity Policy Chief, Risk Management and Information

Security Programs Division

National Institute of Standards and Technology Committee on National Security Systems Charles H. Romine Teresa M. Takai Director, Information Technology Laboratory Chair, CNSS

Donna Dodson Richard Spires Cybersecurity Advisor, Information Technology Laboratory Co-Chair, CNSS

Donna Dodson Dominic Cussatt Chief, Computer Security Division CNSS Subcommittee Tri-Chair

Ron Ross Jeffrey Wilk FISMA Implementation Project Leader CNSS Subcommittee Tri-Chair

Richard Tannich CNSS Subcommittee Tri-Chair

Joint Task Force Transformation Initiative Interagency Working Group

Ron Ross Gary Stoneburner Richard Graubart Kelley Dempsey NIST, JTF Leader Johns Hopkins APL The MITRE Corporation NIST

Esten Porter Bennett Hodge Karen Quigg Christian Enloe The MITRE Corporation Booz Allen Hamilton The MITRE Corporation NIST

Kevin Stine Jennifer Fabius Daniel Faigin Arnold Johnson NIST The MITRE Corporation The Aerospace Corporation NIST

Lisa Kaiser Pam Miller Sandra Miravalle Victoria Pillitteri DHS The MITRE Corporation The MITRE Corporation NIST

In addition to the above acknowledgments, a special note of thanks goes to Peggy Himes and Elizabeth Lennon of NIST for their superb technical editing and administrative support. The authors also wish to recognize Marshall Abrams, Nadya Bartol, Frank Belz, Deb Bodeau, Dawn Cappelli, Corinne Castanza, Matt Coose, George Dinolt, Kurt Eleam, Jennifer Guild, Cynthia Irvine, Cass Kelly, Steve LaFountain, Steve Lipner, Tom Macklin, Tim McChesney, Michael

PAGE iv


McEvilley, John Mildner, Joji Montelibano, George Moore, LouAnna Notargiacomo, Dorian Pappas, Roger Schell, Carol Woody, and the research staff from the NIST Computer Security Division for their exceptional contributions in helping to improve the content of the publication. And finally, the authors also gratefully acknowledge and appreciate the significant contributions from individuals, working groups, and organizations in the public and private sectors, both nationally and internationally, whose thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness of this publication.

PAGE v


FIPS 200 AND SP 800-53 IMPLEMENTING INFORMATION SECURITY STANDARDS AND GUIDELINES

FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in Special Publication 800-53. This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation.

FIPS 200 and NIST Special Publication 800-53, in combination, ensure that appropriate security requirements and security controls are applied to all federal information and information systems. An organizational assessment of risk validates the initial security control selection and determines if additional controls are needed to protect organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. The resulting set of security controls establishes a level of security due diligence for the organization.

PAGE vi


DEVELOPING COMMON INFORMATION SECURITY FOUNDATIONS COLLABORATION AMONG PUBLIC AND PRIVATE SECTOR ENTITIES

In developing standards and guidelines required by FISMA, NIST consults with other federal agencies and the private sector to improve information security, avoid unnecessary and costly duplication of effort, and ensure that its publications are complementary with the standards and guidelines employed for the protection of national security systems. In addition to a comprehensive public review and vetting process, NIST is collaborating with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DoD), and the Committee on National Security Systems (CNSS) to establish a unified information security framework for the federal government. A common foundation for information security will provide the Civil, Defense, and Intelligence sectors of the federal government and their contractors, more cost-effective and consistent ways to manage information security-related risk to organizational operations and assets, individuals, other organizations, and the Nation. The unified framework will also provide a strong basis for reciprocal acceptance of authorization decisions and facilitate information sharing. NIST is also working with many public and private sector entities to establish mappings and relationships between the security standards and guidelines developed by NIST and the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC).

PAGE vii


SECURITY REQUIREMENTS FROM THE PERSPECTIVE OF DIFFERENT COMMUNITIES OF INTEREST

The term security requirement is used by different communities and groups in different ways and may require additional explanation to establish the particular context for the various use cases. Security requirements can be stated at a very high level of abstraction, for example, in legislation, Executive Orders, directives, policies, standards, and mission/business needs statements. FISMA and FIPS Publication 200 articulate security requirements at such a level.

Acquisition personnel develop security requirements for contracting purposes that address the protections necessary to achieve mission/business needs. Systems/security engineers, system developers, and systems integrators develop the security design requirements for the information system, develop the system security architecture and the architecture-specific derived security requirements, and subsequently implement specific security functions at the hardware, software, and firmware component level.

Security requirements are also reflected in various nontechnical security controls that address such matters as policy and procedures at the management and operational elements within organizations, again at differing levels of detail. It is important to define the context for each use of the term security requirement so the respective communities (including individuals responsible for policy, architecture, acquisition, engineering, and mission/business protection) can clearly communicate their intent.

Organizations may define certain security capabilities needed to satisfy security requirements and provide appropriate mission and business protection. Security capabilities are typically defined by bringing together a specific set of safeguards/countermeasures (i.e., security controls) derived from the appropriately tailored baselines that together produce the needed capability.

PAGE viii


TECHNOLOGY AND POLICY NEUTRALITY

CHARACTERISTICS OF SECURITY CONTROLS

The security controls in the catalog with few exceptions, have been designed to be policy- and technology-neutral. This means that security controls and control enhancements focus on the fundamental safeguards and countermeasures necessary to protect information during processing, while in storage, and during transmission. Therefore, it is beyond the scope of this publication to provide guidance on the application of security controls to specific technologies, environments of operation, communities of interest, or missions/business functions. Application-specific areas are addressed by the use of the tailoring process described in Chapter Three and the use of overlays described in Appendix I. It should also be noted that while the security controls are largely policy- and technology-neutral, that does not imply that the controls are policy- and technology-unaware. Understanding policy and technology is necessary so that the controls are meaningful and relevant when implemented.

In the few cases where specific technologies are called out in security controls (e.g., mobile, PKI, wireless, VOIP), organizations are cautioned that the need to provide adequate security goes well beyond the requirements in a single control associated with a particular technology. Many of the needed safeguards and countermeasures are obtained from the other security controls in the catalog allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap in the protections articulated by the security controls within the different control families.

In addition to the customer-driven development of specialized security plans and overlays, NIST Special Publications and Interagency Reports may provide guidance on recommended security controls for specific technologies and sector-specific applications (e.g., Smart Grid, healthcare, Industrial Control Systems, and mobile).

Employing a technology- and policy-neutral security control catalog has the following benefits:

• It encourages organizations to focus on the security capabilities required for mission/business success and the protection of information, irrespective of the information technologies that are employed in organizational information systems.

• It encourages organizations to analyze each security control for its applicability to specific technologies, environments of operation, missions/business functions, and communities of interest.

• It encourages organizations to specify security policies as part of the tailoring process for security controls that have variable parameters.

The specialization of security plans using the tailoring guidance and overlays, together with a robust set of technology- and policy-neutral security controls, promotes cost-effective, risk-based information security for organizations—in any sector, for any technology, and in any operating environment.

PAGE ix


INFORMATION SECURITY DUE DILIGENCE MANAGING THE RISK TO ORGANIZATIONAL MISSIONS/BUSINESS FUNCTIONS

The security controls in NIST Special Publication 800-53 are designed to facilitate compliance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Compliance is not about adhering to static checklists or generating unnecessary FISMA reporting paperwork. Rather, compliance necessitates organizations executing due diligence with regard to information security and risk management. Information security due diligence includes using all appropriate information as part of an organization-wide risk management program to effectively use the tailoring guidance and inherent flexibility in NIST publications so that the selected security controls documented in organizational security plans meet the mission and business requirements of organizations. Using the risk management tools and techniques that are available to organizations is essential in developing, implementing, and maintaining the safeguards and countermeasures with the necessary and sufficient strength of mechanism to address the current threats to organizational operations and assets, individuals, other organizations, and the Nation. Employing effective risk-based processes, procedures, and technologies will help ensure that all federal information systems and organizations have the necessary resilience to support ongoing federal responsibilities, critical infrastructure applications, and continuity of government.

PAGE x


PRIVACY CONTROLS PROVIDING PRIVACY PROTECTION FOR FEDERAL INFORMATION

Appendix J, Privacy Control Catalog, is a new addition to NIST Special Publication 800-53. It is intended to address the privacy needs of federal agencies. The Privacy Appendix:

• Provides a structured set of privacy controls, based on best practices, that help organizations comply with applicable federal laws, Executive Orders, directives, instructions, regulations, policies, standards, guidance, and organization-specific issuances;

• Establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations;

• Demonstrates the applicability of the NIST Risk Management Framework in the selection, implementation, assessment, and ongoing monitoring of privacy controls deployed in federal information systems, programs, and organizations; and

• Promotes closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.

There is a strong similarity in the structure of the privacy controls in Appendix J and the security controls in Appendices F and G. For example, the control AR-1 (Governance and Privacy Program) requires organizations to develop privacy plans that can be implemented at the organizational or program level. These plans can also be used in conjunction with security plans to provide an opportunity for organizations to select the appropriate set of security and privacy controls in accordance with organizational mission/business requirements and the environments in which the organizations operate. Incorporating the same concepts used in managing information security risk, helps organizations implement privacy controls in a more cost-effective, risked-based manner while simultaneously protecting individual privacy and meeting compliance requirements. Standardized privacy controls provide a more disciplined and structured approach for satisfying federal privacy requirements and demonstrating compliance to those requirements.

PAGE xi


CAUTIONARY NOTE IMPLEMENTING CHANGES BASED ON REVISIONS TO SPECIAL PUBLICATION 800-53

When NIST publishes revisions to Special Publication 800-53, there are four primary types of changes made to the document: (i) security controls or control enhancements are added to or withdrawn from Appendices F and G and/or to the low, moderate, and high baselines; (ii) supplemental guidance is modified; (iii) material in the main chapters or appendices is modified; and (iv) language is clarified and/or updated throughout the document.

When modifying existing tailored security control baselines at Tier 3 in the risk management hierarchy (as described in Special Publication 800-39) and updating security controls at any tier as a result of Special Publication 800-53 revisions, organizations should take a measured, risk-based approach in accordance with organizational risk tolerance and current risk assessments. Unless otherwise directed by OMB policy, the following activities are recommended to implement changes to Special Publication 800-53:

• First, organizations determine if any added security controls/control enhancements are applicable to organizational information systems or environments of operation following tailoring guidelines in this publication.

• Next, organizations review changes to the supplemental guidance, guidance in the main chapters and appendices, and updated/clarified language throughout the publication to determine if changes apply to any organizational information systems and if any immediate actions are required.

• Finally, once organizations have determined the entirety of changes necessitated by the revisions to the publication, the changes are integrated into the established continuous monitoring process to the greatest extent possible. The implementation of new or modified security controls to address specific, active threats is always the highest priority for sequencing and implementing changes. Modifications such as changes to templates or minor language changes in policy or procedures are generally the lowest priority and are made in conjunction with established review cycles.

PAGE xii


Table of Contents

CHAPTER ONE INTRODUCTION .......................................................................................... 1 1.1 PURPOSE AND APPLICABILITY .................................................................................................. 2 1.2 TARGET AUDIENCE .................................................................................................................. 3 1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS .................................................... 3 1.4 ORGANIZATIONAL RESPONSIBILITIES ........................................................................................ 4 1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION .......................................................................... 6

CHAPTER TWO THE FUNDAMENTALS .................................................................................. 7 2.1 MULTITIERED RISK MANAGEMENT ............................................................................................. 7 2.2 SECURITY CONTROL STRUCTURE ............................................................................................. 9 2.3 SECURITY CONTROL BASELINES ............................................................................................. 12 2.4 SECURITY CONTROL DESIGNATIONS ....................................................................................... 14 2.5 EXTERNAL SERVICE PROVIDERS ............................................................................................ 17 2.6 ASSURANCE AND TRUSTWORTHINESS .................................................................................... 20 2.7 REVISIONS AND EXTENSIONS ................................................................................................. 26

CHAPTER THREE THE PROCESS ...................................................................................... 28 3.1 SELECTING SECURITY CONTROL BASELINES ........................................................................... 28 3.2 TAILORING BASELINE SECURITY CONTROLS ............................................................................ 30 3.3 CREATING OVERLAYS ............................................................................................................ 40 3.4 DOCUMENTING THE CONTROL SELECTION PROCESS ............................................................... 42 3.5 NEW DEVELOPMENT AND LEGACY SYSTEMS ........................................................................... 44

APPENDIX A REFERENCES ............................................................................................ A-1 APPENDIX B GLOSSARY ................................................................................................ B-1 APPENDIX C ACRONYMS ............................................................................................... C-1 APPENDIX D SECURITY CONTROL BASELINES – SUMMARY ............................................... D-1 APPENDIX E ASSURANCE AND TRUSTWORTHINESS ......................................................... E-1 APPENDIX F SECURITY CONTROL CATALOG .................................................................... F-1 APPENDIX G INFORMATION SECURITY PROGRAMS........................................................... G-1 APPENDIX H INTERNATIONAL INFORMATION SECURITY STANDARDS .................................. H-1 APPENDIX I OVERLAY TEMPLATE ..................................................................................... I-1 APPENDIX J PRIVACY CONTROL CATALOG ....................................................................... J-1

PAGE xiii


Prologue

“…Through the process of risk management, leaders must consider risk to US interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “

“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…”

“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…"

-- THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE

PAGE xiv


Foreword

NIST Special Publication 800-53, Revision 4, represents the most comprehensive update to the security controls catalog since its inception in 2005. The publication was developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. This update was motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). State-of-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. In addition, Special Publication 800-53 has been expanded to include eight new families of privacy controls based on the internationally accepted Fair Information Practice Principles.

Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This “Build It Right” strategy is coupled with a variety of security controls for “Continuous Monitoring” to give organizations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.

To take advantage of the expanded set of security and privacy controls, and to give organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances.

Finally, there have been several new features added to this revision to facilitate ease of use by organizations. These include:

• Assumptions relating to security control baseline development;

• Expanded, updated, and streamlined tailoring guidance;

• Additional assignment and selection statement options for security and privacy controls;

• Descriptive names for security and privacy control enhancements;

• Consolidated tables for security controls and control enhancements by family with baseline allocations;

• Tables for security controls that support development, evaluation, and operational assurance; and

• Mapping tables for international security standard ISO/IEC 15408 (Common Criteria).

PAGE xv


The security and privacy controls in Special Publication 800-53, Revision 4, have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. The controls are well positioned to support the integration of information security and privacy into organizational processes including enterprise architecture, systems engineering, system development life cycle, and acquisition/procurement. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

The Joint Task Force

PAGE xvi


Errata

The following changes have been incorporated into Special Publication 800-53, Revision 4.

DATE TYPE CHANGE PAGE

05-07-2013 Editorial Changed CA-9 Priority Code from P1 to P2 in Table D-2. D-3 05-07-2013 Editorial Changed CM-10 Priority Code from P1 to P2 in Table D-2. D-4 05-07-2013 Editorial Changed MA-6 Priority Code from P1 to P2 in Table D-2. D-5 05-07-2013 Editorial Changed MP-3 Priority Code from P1 to P2 in Table D-2. D-5 05-07-2013 Editorial Changed PE-5 Priority Code from P1 to P2 in Table D-2. D-5 05-07-2013 Editorial Changed PE-16 Priority Code from P1 to P2 in Table D-2. D-5 05-07-2013 Editorial Changed PE-17 Priority Code from P1 to P2 in Table D-2. D-5 05-07-2013 Editorial Changed PE-18 Priority Code from P2 to P3 in Table D-2. D-5 05-07-2013 Editorial Changed PL-4 Priority Code from P1 to P2 in Table D-2. D-6 05-07-2013 Editorial Changed PS-4 Priority Code from P2 to P1 in Table D-2. D-6 05-07-2013 Editorial Changed SA-11 Priority Code from P2 to P1 in Table D-2. D-6 05-07-2013 Editorial Changed SC-18 Priority Code from P1 to P2 in Table D-2. D-7 05-07-2013 Editorial Changed SI-8 Priority Code from P1 to P2 in Table D-2. D-8 05-07-2013 Editorial Deleted reference to SA-5(6) in Table D-17. D-32 05-07-2013 Editorial Deleted CM-4(3) from Table E-2. E-4 05-07-2013 Editorial Deleted CM-4(3) from Table E-3. E-5 05-07-2013 Editorial Deleted reference to SA-5(6). F-161 05-07-2013 Editorial Changed SI-16 Priority Code from P0 to P1. F-233 01-15-2014 Editorial Deleted “(both intentional and unintentional)” in line 5 in Abstract. iii 01-15-2014 Editorial Deleted “security and privacy” in line 5 in Abstract. iii 01-15-2014 Editorial Changed “an initial set of baseline security controls” to “the applicable security

control baseline” in Section 2.1, RMF Step 2. 9

01-15-2014 Editorial Deleted the following paragraph: “The security control enhancements section provides…in Appendix F.”

11

01-15-2014 Editorial Changed “baseline security controls” to “the security control baselines” in Section 2.3, 2nd paragraph, line 6.

13

01-15-2014 Editorial Changed “an initial set of security controls” to “the applicable security control baseline” in Section 3.1, paragraph 2, line 4.

28

01-15-2014 Editorial Changed “security control baselines” to “baselines identified in Appendix D” in Section 3.1, paragraph 2, line 5.

28

01-15-2014 Editorial Changed “an appropriate set of baseline controls” to “the appropriate security control baseline” in Section 3.1, paragraph 3, line 3.

29

01-15-2014 Editorial Deleted “initial” before “security control baseline” and added “FIPS 200” before “impact level” in Section 3.1, paragraph 3, line 4.

29

01-15-2014 Editorial Changed “sets of baseline security controls” to “security control baselines” in Section 3.1, paragraph 3, line 6.

29

01-15-2014 Editorial Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 1, line 1.

30

01-15-2014 Editorial Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 3, line 5.

31

01-15-2014 Editorial Deleted “set of” before “security controls” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 1.

33

PAGE xvii



01-15-2014 Editorial Deleted “initial” before “set of” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 2.

33

01-15-2014 Editorial Changed “the baselines” to “each baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 3.

33

01-15-2014 Editorial Changed “initial set of security controls” to “security control baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 5.

33

01-15-2014 Editorial Added “specific” before “locations” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 6.

33

01-15-2014 Editorial Changed “initial” to “three” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 8.

33

01-15-2014 Editorial Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, Selecting Compensating Security Controls, line 10.

36

01-15-2014 Editorial Changed “a set of initial baseline security controls” to “security control baselines” in Section 3.3, line 1.

40

01-15-2014 Editorial Added “.” after “C.F.R” in #3, Policies, Directives, Instructions, Regulations, and Memoranda.

A-1

01-15-2014 Editorial Added “Revision 1 (Draft)” to NIST Special Publication 800-52 in References. A-7 01-15-2014 Editorial Added “Configuration,” to title of NIST Special Publication 800-52, Revision 1. A-7 01-15-2014 Editorial Changed date for NIST Special Publication 800-52, Revision 1 to September 2013. A-7 01-15-2014 Editorial Moved definition for Information Security Risk after Information Security Program

Plan in Glossary. B-11

01-15-2014 Editorial Added AC-2(11) to high baseline in Table D-2. D-2 01-15-2014 Editorial Changed AC-10 Priority Code from P2 to P3 in Table D-2. D-2 01-15-2014 Editorial Changed AC-14 Priority Code from P1 to P3 in Table D-2. D-2 01-15-2014 Editorial Changed AC-22 Priority Code from P2 to P3 in Table D-2. D-2 01-15-2014 Editorial Changed AU-10 Priority Code from P1 to P2 in Table D-2. D-3 01-15-2014 Editorial Changed CA-6 Priority Code from P3 to P2 in Table D-2. D-3 01-15-2014 Editorial Changed CA-7 Priority Code from P3 to P2 in Table D-2. D-3 01-15-2014 Editorial Changed CA-8 Priority Code from P1 to P2 in Table D-2. D-3 01-15-2014 Editorial Changed IA-6 Priority Code from P1 to P2 in Table D-2. D-4 01-15-2014 Editorial Changed IR-7 Priority Code from P3 to P2 in Table D-2. D-5 01-15-2014 Editorial Changed MA-3 Priority Code from P2 to P3 in Table D-2. D-5 01-15-2014 Editorial Changed MA-4 Priority Code from P1 to P2 in Table D-2. D-5 01-15-2014 Editorial Changed MA-5 Priority Code from P1 to P2 in Table D-2. D-5 01-15-2014 Editorial Deleted Program Management Controls from Table D-2. D-8/9 01-15-2014 Editorial Deleted the following sentence at end of paragraph:

“There is no summary table provided for the Program Management (PM) family since PM controls are not associated with any particular security control baseline.”

D-9

01-15-2014 Editorial Added AC-2(12) and AC-2(13) to high baseline in Table D-3. D-10 01-15-2014 Editorial Changed AC-17(5) incorporated into reference from AC-17 to SI-4 in Table D-3. D-12 01-15-2014 Editorial Changed AC-17(7) incorporated into reference from AC-3 to AC-3(10) in Table D-3. D-12 01-15-2014 Editorial Changed AC-6 to AC-6(9) in AU-2(4) withdrawal notice in Table D-5. D-15 01-15-2014 Editorial Changed “Training” to “Scanning” in SA-19(4) title in Table D-17. D-34 01-15-2014 Editorial Deleted SC-9(1), SC-9(2), SC-9(3), and SC-9(4) from Table D-18. D-37 01-15-2014 Editorial Added AC-2 and AC-5 to SC-14 and deleted SI-9 from SC-14 in Table D-18. D-37

PAGE xviii



01-15-2014 Editorial Deleted CA-3(5) from Table E-2. E-4 01-15-2014 Editorial Added CM-3(2) to Table E-2. E-4 01-15-2014 Editorial Added RA-5(2) and RA-5(5) to Table E-2. E-4 01-15-2014 Editorial Deleted CA-3(5) from Table E-3. E-5 01-15-2014 Editorial Added CM-3(2) to Table E-3. E-5 01-15-2014 Editorial Deleted bold text from RA-5(2) and RA-5(5) in Table E-3. E-5 01-15-2014 Editorial Added CM-8(9) to Table E-4. E-7 01-15-2014 Editorial Added CP-4(4) to Table E-4. E-7 01-15-2014 Editorial Added IR-3(1) to Table E-4. E-7 01-15-2014 Editorial Added RA-5(3) to Table E-4. E-7 01-15-2014 Editorial Deleted SA-4(4) from Table E-4. E-7 01-15-2014 Editorial Changed SA-21(1) from “enhancements” to “enhancement” in Table E-4. E-7 01-15-2014 Editorial Deleted SI-4(8) from Table E-4. E-7 01-15-2014 Editorial Changed “risk management process” to “RMF” in Using the Catalog, line 4. F-6 01-15-2014 Editorial Changed “an appropriate set of security controls” to “the appropriate security

control baselines” in Using the Catalog, line 5. F-6

01-15-2014 Editorial Deleted extraneous “,” from AC-2 g. F-7 01-15-2014 Editorial Added AC-2(11) to high baseline. F-10 01-15-2014 Substantive Added the following text to AC-3(2) Supplemental Guidance:

“Dual authorization may also be known as two-person control.” F-11

01-15-2014 Editorial Changed “ucdmo.gov” to “None” in AC-4 References. F-18 01-15-2014 Editorial Added “.” after “C.F.R” in AT-2 References. F-38 01-15-2014 Editorial Changed AC-6 to AC-6(9) in AU-2(4) withdrawal notice. F-42 01-15-2014 Editorial Deleted “csrc.nist.gov/pcig/cig.html” and added “http://” to URL in AU-2 References. F-42 01-15-2014 Editorial Changed “identify” to “identity” in AU-6(6) Supplemental Guidance. F-46 01-15-2014 Substantive Added the following text to AU-9(5) Supplemental Guidance:


01-15-2014 Editorial Added “Control Enhancements: None.” to AU-15. F-53 01-15-2014 Editorial Deleted extraneous “.” from CM-2(7) Supplemental Guidance. F-66 01-15-2014 Editorial Added “)” after “board” in CM-3 g. F-66 01-15-2014 Substantive Added CA-7 to related controls list in CM-3. F-66 01-15-2014 Substantive Added the following text to CM-5(4) Supplemental Guidance:


01-15-2014 Editorial Added “http://” to URLs in CM-6 References. F-71 01-15-2014 Editorial Added “component” before “inventories” in CM-8(5). F-74 01-15-2014 Editorial Changed “tsp.ncs.gov” to “http://www.dhs.gov/telecommunications-service-priority-

tsp” in CP-8 References. F-86

01-15-2014 Substantive Added the following text to CP-9(7) Supplemental Guidance: “Dual authorization may also be known as two-person control.”

F-87

01-15-2014 Editorial Changed “HSPD 12” to “HSPD-12” and added “http://” to URL in IA-2 References. F-93 01-15-2014 Editorial Changed “encrypted representations of” to “cryptographically-protected” in IA-5(1)

(c). F-96

01-15-2014 Editorial Changed “Encrypted representations of” to “Cryptographically-protected” in IA-5(1) Supplemental Guidance.

F-97

PAGE xix



01-15-2014 Substantive Added the following text to IA-5(1) Supplemental Guidance: “To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.”

F-97

01-15-2014 Editorial Added “http://” to URL in IA-5 References. F-99 01-15-2014 Editorial Added “http://” to URL in IA-7 References. F-99 01-15-2014 Editorial Added “http://” to URL in IA-8 References. F-101 01-15-2014 Editorial Changed “:” to “;” after “800-61” and added “http://” to URL in IR-6 References. F-108 01-15-2014 Substantive Added the following text to MP-6(7) Supplemental Guidance:


01-15-2014 Editorial Added “http://” to URL in MP-6 References. F-124 01-15-2014 Editorial Changed “DoDI” to “DoD Instruction” and added “http://” to URLs in PE-3

References. F-130

01-15-2014 Editorial Deleted “and supplementation” after “tailoring” in PL-2 a. 8. F-140 01-15-2014 Editorial Added “Special” before “Publication” in PL-4 References. F-141 01-15-2014 Editorial Added “Control Enhancements: None.” to PL-7. F-142 01-15-2014 Editorial Deleted AT-5, AC-19(6), AC-19(8), and AC-19(9) from PL-9 Supplemental

Guidance. F-144

01-15-2014 Editorial Added “Control Enhancements: None.” to PL-9. F-144 01-15-2014 Editorial Added “Special” before “Publication” in PL-9 References. F-144 01-15-2014 Editorial Changed “731.106(a)” to “731.106” in PS-2 References. F-145 01-15-2014 Editorial Changed “Publication” to “Publications” and added “http://” to URL in RA-3

References. F-153

01-15-2014 Editorial Added “http://” to URLs in RA-5 References. F-155 01-15-2014 Editorial Added “http://” to URLs in SA-4 References. F-160 01-15-2014 Substantive Added the following text to SA-11(8) Supplemental Guidance:

“To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms).”

F-169

01-15-2014 Editorial Added “http://” to URLs in SA-11 References. F-169 01-15-2014 Editorial Added “Control Enhancements: None.” to SA-16. F-177 01-15-2014 Editorial Changed “Training” to “Scanning” in SA-19(4) title. F-181 01-15-2014 Editorial Changed “physical” to “protected” in SC-8 Supplemental Guidance. F-193 01-15-2014 Editorial Changed “140-2” to “140” and added “http://” to URLs in SC-13 References. F-196 01-15-2014 Editorial Added “authentication” after “data origin” in SC-20, Part a. F-199 01-15-2014 Editorial Added “verification” after “integrity” in SC-20, Part a. F-199 01-15-2014 Editorial Added “Control Enhancements: None.” to SC-35. F-209 01-15-2014 Editorial Deleted extraneous “References: None” from SI-7. F-228

PAGE xx



01-15-2014 Substantive Added the following text as new third paragraph in Appendix G:: “Table G-1 provides a summary of the security controls in the program management family from Appendix G. Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control.”

G-1/2

01-15-2014 Editorial Added Table G-1 to Appendix G. G-2 01-15-2014 Editorial Added “http://” to URL in PM-5 References. G-5 01-15-2014 Editorial Deleted “Web: www.fsam.gov” from PM-7 References. G-5 01-15-2014 Editorial Added “http://” to URL in Footnote 124. J-22 01-22-2015 Editorial Changed security control enhancement naming convention (i.e., format) by deleting

space between base security control and numbered enhancement designation. Global

01-22-2015 Editorial Changed “(iv) and” to “and (iv)” in Glossary definition for Developer. B-6 01-22-2015 Editorial Changed “an IR-2 (1) in the high baseline entry for the IR-2 security control” to “the

IR-2 (1) (2) entry in the high baseline for IR-2” in Appendix D, paragraph 1, line 8. D-1

01-22-2015 Editorial Changed “enhancement (1)” to “enhancements (1) and (2)” in Appendix D, paragraph 1, line 10.

D-1

01-22-2015 Editorial Deleted “in the security control catalog“ in Appendix D, paragraph 1, line 10. D-1 01-22-2015 Editorial Changed “SHARED GROUPS / ACCOUNTS“ to “SHARED / GROUP ACCOUNTS” in

Table D-3, AC-2(9) title. D-10

01-22-2015 Editorial Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(1) title. D-14 01-22-2015 Editorial Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(2) title. D-14 01-22-2015 Editorial Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(3) title. D-14 01-22-2015 Editorial Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(4) title. D-14 01-22-2015 Editorial Added “-BASED“ to “BIOMETRIC” in Table D-9, IA-5(12) title. D-23 01-22-2015 Editorial Deleted “/ ANALYSIS“ after “PENETRATION TESTING” in Table D-17, SA-11(5) title. D-33 01-22-2015 Editorial Changed “(1)” from normal font to bold font in Table E-4, SI-4(1). E-7 01-22-2015 Editorial Changed “SHARED GROUPS / ACCOUNTS“ to “SHARED / GROUP ACCOUNTS” in AC-

2(9) title. F-10

01-22-2015 Editorial Changed “use“ to “usage” in AC-2(12) part (a). F-10 01-22-2015 Editorial Changed “policies“ to “policy” in AC-3(3). F-11 01-22-2015 Editorial Deleted “specifies that” in AC-3(3). F-11 01-22-2015 Editorial Changed “The policy is“ to “Is” in AC-3(3) part (a). F-11 01-22-2015 Editorial Changed “A“ to “Specifies that a” in AC-3(3) part (b). F-11 01-22-2015 Editorial Added “Specifies that“ to AC-3(3) part (c). F-11 01-22-2015 Editorial Changed “Organized-defined“ to “organization-defined” in AC-3(3) part (c). F-11 01-22-2015 Editorial Changed “policies“ to “policy” in AC-3(4). F-12 01-22-2015 Editorial Added “information“ before “flows” in AC-4(7). F-15 01-22-2015 Editorial Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(1) title. F-39 01-22-2015 Editorial Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(2) title. F-39 01-22-2015 Editorial Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(3) title. F-39 01-22-2015 Editorial Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(4) title. F-39 01-22-2015 Editorial Added “the” before “relationship” in AU-12(1). F-52

PAGE xxi



01-22-2015 Editorial Moved “.” outside of closing bracket in Withdrawn section. F-61 01-22-2015 Editorial Changed “that“ to “those” in CP-7 part c. F-84 01-22-2015 Editorial Deleted “list of“ in IA-2(10). F-92 01-22-2015 Editorial Deleted “such as documentary evidence or a combination of documents and

biometrics“ in IA-4(3). F-95

01-22-2015 Editorial Added “, such as documentary evidence or a combination of documents and biometrics,“ in IA-4(3) Supplemental Guidance.

F-95

01-22-2015 Editorial Added “-BASED“ to “BIOMETRIC” in IA-5(12) title. F-98 01-22-2015 Editorial Changed “testing/exercises“ to “testing” in IR-4 part c. F-105 01-22-2015 Editorial Deleted “and“ before “prior” in MA-4(3) part (b). F-115 01-22-2015 Editorial Changed “Sanitation“ to “Sanitization” in MP-7(2) Supplemental Guidance (two

instances). F-125

01-22-2015 Editorial Changed “resign“ to “re-sign” in PL-4 part d. F-141 01-22-2015 Editorial Deleted “security categorization decision is reviewed and approved by the“ before

“authorizing” (first instance) in RA-2 part c. F-151

01-22-2015 Editorial Added “reviews and approves the security categorization decision“ after “representative” RA-2 part c.

F-151

01-22-2015 Editorial Changed “;“ to “,” after IA-2 in SA-4(10) Supplemental Guidance. F-160 01-22-2015 Editorial Added “takes“ before assignment statement in SA-5 part c. F-161 01-22-2015 Editorial Changed “either is“ to “is either” in SA-11(3) part (b). F-167 01-22-2015 Editorial Deleted “has been“ before “granted” in SA-11(3) part (b). F-167 01-22-2015 Editorial Deleted “/ ANALYSIS“ after “PENETRATION TESTING” in SA-11(5) title. F-168 01-22-2015 Editorial Deleted “enhancement“ after “control” in SA-12 Supplemental Guidance. F-169 01-22-2015 Editorial Deleted “Related control: PE-21.” from SA-12(9) Supplemental Guidance. F-171 01-22-2015 Editorial Changed “reference to source“ to “references to sources” in SC-5. F-187 01-22-2015 Editorial Added “to be“ before “routed to” in SC-7(11). F-190 01-22-2015 Editorial Changed “i“ to “1” and “ii” to “2” in SI-4 part c. F-219 01-22-2015 Editorial Changed “USER“ to “USERS” in SI-4(20) title. F-223 01-22-2015 Editorial Deleted “for“ in SI-6(2). F-225 01-22-2015 Editorial Changed “interfaces” to “interactions” in SI-10(4) Supplemental Guidance. F-229 01-22-2015 Editorial Changed “-“ to “,” after AU-7 in PM-12 Supplemental Guidance. G-8 01-22-2015 Substantive Updated the introduction to Appendix H and Tables H-1 and H-2 in accordance

with the 2013 version of ISO/IEC 27001 and revised security control mapping methodology.

H-1 through H-12

01-22-2015 Editorial Deleted UL-3 from related controls list in SE-1. J-20

PAGE xxii


CHAPTER ONE

INTRODUCTION THE NEED TO PROTECT INFORMATION AND INFORMATION SYSTEMS

he selection and implementation of security controls for information systems1 and organizations are important tasks that can have major implications on the operations2 and assets of organizations3 as well as the welfare of individuals and the Nation. Security

controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements.4 There are several key questions that should be answered by organizations when addressing the information security considerations for information systems:

• What security controls are needed to satisfy the security requirements and to adequately mitigate risk incurred by using information and information systems in the execution of organizational missions and business functions?

• Have the security controls been implemented, or is there an implementation plan in place?

• What is the desired or required level of assurance that the selected security controls, as implemented, are effective in their application? 5

The answers to these questions are not given in isolation but rather in the context of an effective risk management process for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks6 arising from its information and information systems. NIST Special Publication 800-39 provides guidance on managing information security risk at three distinct tiers—the organization level, mission/business process level, and information system level. The security controls defined in this publication and recommended for use by organizations to satisfy their information security requirements should be employed as part of a well-defined risk management process that supports organizational information security programs.7

1 An information system is a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems such as industrial/process controls systems, telephone switching/private branch exchange (PBX) systems, and environmental control systems. 2 Organizational operations include mission, functions, image, and reputation. 3 The term organization describes an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements). 4 Security requirements are derived from mission/business needs, laws, Executive Orders, directives, regulations, policies, instructions, standards, guidance, and/or procedures to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by organizational information systems. 5 Security control effectiveness addresses the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system in its operational environment or enforcing/mediating established security policies. 6 Information security-related risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the Nation. 7 The program management controls (Appendix G) complement the security controls for an information system (Appendix F) by focusing on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.

T

CHAPTER 1 PAGE 1


It is of paramount importance that responsible officials understand the risks and other factors that could adversely affect organizational operations and assets, individuals, other organizations, and the Nation.8 These officials must also understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that mitigate risks to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the organization and accomplish the organization’s stated missions and business functions with what the OMB Circular A-130 defines as adequate security, or security commensurate with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.

1.1 PURPOSE AND APPLICABILITY The purpose of this publication is to provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components9 of an information system that process, store, or transmit federal information. The guidelines have been developed to achieve more secure information systems and effective risk management within the federal government by:

• Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems and organizations;

• Providing a stable, yet flexible catalog of security controls to meet current information protection needs and the demands of future protection needs based on changing threats, requirements, and technologies;

• Providing a recommendation for security controls for information systems categorized in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems;

• Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness; and

• Improving communication among organizations by providing a common lexicon that supports discussion of risk management concepts.

In addition to the security controls described above, this publication: (i) provides a set of information security program management (PM) controls that are typically implemented at the organization level and not directed at individual organizational information systems; (ii) provides a set of privacy controls based on international standards and best practices that help organizations enforce privacy requirements derived from federal legislation, directives, policies, regulations, and standards; and (iii) establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations. Standardized privacy controls provide a more disciplined and structured approach for satisfying federal privacy requirements and demonstrating compliance to those

8 This includes risk to critical infrastructure/key resources described in Homeland Security Presidential Directive 7. 9 Information system components include, for example, mainframes, workstations, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), input/output devices (e.g., scanners, copiers, printers), network components (e.g., firewalls, routers, gateways, voice and data switches, process controllers, wireless access points, network appliances, sensors), operating systems, virtual machines, middleware, and applications.

CHAPTER 1 PAGE 2


requirements. Incorporating the same concepts used in managing information security risk, helps organizations implement privacy controls in a more cost-effective, risked-based manner.

The guidelines in this special publication are applicable to all federal information systems10 other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542.11 The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems.12 State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.

1.2 TARGET AUDIENCE This publication is intended to serve a diverse audience of information system and information security professionals including:

• Individuals with information system, security, and/or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, senior information security officers,13 information system managers, information security managers);

• Individuals with information system development responsibilities (e.g., program managers, system designers and developers, information security engineers, systems integrators);

• Individuals with information security implementation and operational responsibilities (e.g., mission/business owners, information system owners, common control providers, information owners/stewards, system administrators, information system security officers);

• Individuals with information security assessment and monitoring responsibilities (e.g., auditors, Inspectors General, system evaluators, assessors, independent verifiers/validators, analysts, information system owners); and

• Commercial companies producing information technology products and systems, creating information security-related technologies, or providing information security services.

1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS To create a technically sound and broadly applicable set of security controls for information systems and organizations, a variety of sources were considered during the development of this special publication. The sources included security controls from the defense, audit, financial, healthcare, industrial/process control, and intelligence communities as well as controls defined by

10 A federal information system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. 11 A national security system is any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency: (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, e.g., payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. 12 CNSS Instruction 1253 provides implementing guidance for national security systems. 13 At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may also refer to this position as the Senior Information Security Officer or the Chief Information Security Officer.

CHAPTER 1 PAGE 3


national and international standards organizations. The objective of NIST Special Publication 800-53 is to provide a set of security controls that can satisfy the breadth and depth of security requirements14 levied on organizations, mission/business processes, and information systems and that is consistent with and complementary to other established information security standards.

The catalog of security controls in Special Publication 800-53 can be effectively used to protect information and information systems from traditional and advanced persistent threats in varied operational, environmental, and technical scenarios. The controls can also be used to demonstrate compliance with a variety of governmental, organizational, or institutional security requirements. Organizations have the responsibility to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying established security requirements.15 The security controls facilitate the development of assessment methods and procedures that can be used to demonstrate control effectiveness in a consistent/repeatable manner—thus contributing to the organization’s confidence that security requirements continue to be satisfied on an ongoing basis. In addition, security controls can be used in developing overlays for specialized information systems, information technologies, environments of operation, or communities of interest (see Appendix I).

1.4 ORGANIZATIONAL RESPONSIBILITIES Organizations use FIPS Publication 199 to categorize their information and information systems. Security categorization is accomplished as an organization-wide activity16 with the involvement of senior-level organizational personnel including, for example, authorizing officials, chief information officers, senior information security officers, information owners and/or stewards, information system owners, and risk executive (function).17 Information is categorized at Tier 1 (organization level) and at Tier 2 (mission/business process level). In accordance with FIPS Publication 200, organizations use the security categorization results from Tiers 1 and 2 to designate organizational information systems at Tier 3 (information system level) as low-impact, moderate-impact, or high-impact systems. For each organizational information system at Tier 3, the recommendation for security controls from the baseline controls defined in Appendix D is the starting point for the security control tailoring process. While the security control selection process is generally focused on information systems at Tier 3, the process is generally applicable across all three tiers of risk management.

FIPS Publication 199 security categorization associates information and the operation and use of information systems with the potential worst-case adverse impact on organizational operations and assets, individuals, other organizations, and the Nation.18 Organizational assessments of risk, including the use of specific and credible threat information, vulnerability information, and the likelihood of such threats exploiting vulnerabilities to cause adverse impacts, guide and inform

14 Security requirements are those requirements levied on an information system that are derived from laws, Executive Orders, directives, policies, instructions, regulations, standards, guidelines, or organizational (mission) needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted. 15 NIST Special Publication 800-53A provides guidance on assessing the effectiveness of security controls. 16 See FIPS Publication 200, Footnote 7. 17 Organizations typically exercise managerial, operational, and financial control over their information systems and the security provided to those systems, including the authority and capability to implement or require the security controls deemed necessary to protect organizational operations and assets, individuals, other organizations, and the Nation. 18 Considerations for potential national-level impacts and impacts to other organizations in categorizing organizational information systems derive from the USA PATRIOT Act and Homeland Security Presidential Directives (HSPDs).

CHAPTER 1 PAGE 4


the tailoring process and the final selection of security controls.19 The final, agreed-upon set of security controls addressing specific organizational mission/business needs and tolerance for risk is documented with appropriate rationale in the security plan for the information system.20 The use of security controls from Special Publication 800-53 (including the baseline controls as a starting point in the control selection process), facilitates a more consistent level of security for federal information systems and organizations, while simultaneously preserving the flexibility and agility organizations need to address an increasingly sophisticated and hostile threat space, specific organizational missions/business functions, rapidly changing technologies, and in some cases, unique environments of operation.

Achieving adequate information security for organizations, mission/business processes, and information systems is a multifaceted undertaking that requires:

• Clearly articulated security requirements and security specifications;

• Well-designed and well-built information technology products based on state-of-the-practice hardware, firmware, and software development processes;

• Sound systems/security engineering principles and practices to effectively integrate information technology products into organizational information systems;

• Sound security practices that are well documented and seamlessly integrated into the training requirements and daily routines of organizational personnel with security responsibilities;

• Continuous monitoring of organizations and information systems to determine the ongoing effectiveness of deployed security controls, changes in information systems and environments of operation, and compliance with legislation, directives, policies, and standards;21 and

• Information security planning and system development life cycle management.22

From an engineering viewpoint, information security is just one of many required operational capabilities for information systems that support organizational mission/business processes—capabilities that must be funded by organizations throughout the system development life cycle in order to achieve mission/business success. It is important that organizations realistically assess the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from mission/business processes and by placing information systems into operation or continuing operations. Realistic assessment of risk requires an understanding of threats to and vulnerabilities within organizations and the likelihood and potential adverse impacts of successful exploitations of such vulnerabilities by those threats.23 Finally, information security requirements must be satisfied with the full knowledge and consideration of the risk management strategy of

19 Risk assessments can be accomplished in a variety of ways depending on the specific needs of organizations. NIST Special Publication 800-30 provides guidance on the assessment of risk as part of an overall risk management process. 20 Authorizing officials or designated representatives, by accepting the completed security plans, agree to the set of security controls proposed to meet the security requirements for organizations (including mission/business processes) and/or designated information systems. 21 NIST Special Publication 800-137 provides guidance on continuous monitoring of organizational information systems and environments of operation. 22 NIST Special Publication 800-64 provides guidance on the information security considerations in the system development life cycle. 23 NIST Special Publication 800-30 provides guidance on the risk assessment process.

CHAPTER 1 PAGE 5


the organization, in light of the potential cost, schedule, and performance issues associated with the acquisition, deployment, and operation of organizational information systems.24

1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION The remainder of this special publication is organized as follows:

• Chapter Two describes the fundamental concepts associated with security control selection and specification including: (i) multitiered risk management; (ii) the structure of security controls and how the controls are organized into families; (iii) security control baselines as starting points for the tailoring process; (iv) the use of common controls and inheritance of security capabilities; (v) external environments and service providers; (vi) assurance and trustworthiness; and (vii) revisions and extensions to security controls and control baselines.

• Chapter Three describes the process of selecting and specifying security controls for organizational information systems including: (i) selecting appropriate security control baselines; (ii) tailoring the baseline controls including developing specialized overlays; (iii) documenting the security control selection process; and (iv) applying the selection process to new and legacy systems.

• Supporting appendices provide essential security control selection and specification-related information including: (i) general references; 25 (ii) definitions and terms; (iii) acronyms; (iv) baseline security controls for low-impact, moderate-impact, and high-impact information systems; (v) guidance on assurance and trustworthiness in information systems; (vi) a catalog of security controls;26 (vii) a catalog of information security program management controls; (viii) mappings to international information security standards; (ix) guidance for developing overlays by organizations or communities of interest; and (x) a catalog of privacy controls.

24 In addition to information security requirements, organizations must also address privacy requirements that derive from federal legislation and policies. Organizations can employ the privacy controls in Appendix J in conjunction with the security controls in Appendix F to achieve comprehensive security and privacy protection. 25 Unless otherwise stated, all references to NIST publications in this document (i.e., Federal Information Processing Standards and Special Publications) are to the most recent version of the publication. 26 The security controls in Special Publication 800-53 are available online and can be downloaded in various formats from the NIST web site at: http://web.nvd.nist.gov/view/800-53/home.

CHAPTER 1 PAGE 6

http://web.nvd.nist.gov/view/800-53/home


CHAPTER TWO

THE FUNDAMENTALS SECURITY CONTROL STRUCTURE, ORGANIZATION, BASELINES, AND ASSURANCE

his chapter presents the fundamental concepts associated with security control selection and specification including: (i) three-tiered risk management; (ii) the structure of security controls and the organization of the controls in the control catalog; (iii) security control

baselines; (iv) the identification and use of common security controls; (v) security controls in external environments; (vi) security control assurance; and (vii) future revisions to the security controls, the control catalog, and baseline controls.

2.1 MULTITIERED RISK MANAGEMENT The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program for the management of risk—that is, the risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation of information systems. Risk-based approaches to security control selection and specification consider effectiveness, efficiency, and constraints due to applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines. To integrate the risk management pro

Security and Privacy Controls for ... - Thales eSecurity...completion of such companion...

Documents

Transcript of Security and Privacy Controls for ... - Thales eSecurity...completion of such companion...